36. Secure Use of External Tools and Shells

When interacting with external programs, avoid shell=True and sanitize all input.

Insecure Example

import subprocess
user_input = "test; echo HACKED"
subprocess.run(user_input, shell=True)

Secure Example

import subprocess, shlex

cmd = ["echo", "Hello Safe World"]
subprocess.run(cmd, check=True)

✅ Lesson: Avoid shell=True. Always specify the command and arguments separately.